plain-crypto-js
plain-crypto-js is a malicious npm package used as a phantom dependency in compromised Axios releases axios@1.14.1 and axios@0.30.4 during the March 31, 2026 npm supply-chain attack. It masqueraded as the legitimate crypto-js package by cloning metadata and was not imported anywhere in the Axios source; its sole purpose was to execute a postinstall hook ("node setup.js") during npm install. The package functioned as a cross-platform RAT dropper targeting Windows, macOS, and Linux. The obfuscated Node.js setup.js script used techniques including string reversal, Base64 decoding, XOR with the key OrDeR_7077, and symbol substitution, then contacted attacker-controlled infrastructure at sfrclak[.]com:8000 (IP 142.11.206[.]73); callnrwise[.]com was also reported as associated infrastructure. It used HTTP POST and disguised traffic with paths such as packages.npm[.]org/product0, product1, and product2, and used campaign identifier 6202033. On macOS it downloaded a Mach-O payload to /Library/Caches/com.apple.act.mond and launched it via zsh; on Windows it copied PowerShell to %PROGRAMDATA%\wt.exe, used VBScript and PowerShell to execute a secondary RAT, and established persistence via a Run key; on Linux it downloaded /tmp/ld.py and executed it with nohup python3. Reported RAT capabilities included reconnaissance, file and process enumeration, persistence, remote command execution, payload delivery, and self-destruct/anti-forensics behavior. Supported commands included kill, runscript, peinject, and rundir, with beaconing every 60 seconds using Base64-encoded JSON over HTTP POST and a hard-coded user-agent resembling IE8. After execution, the malware deleted setup.js, removed the malicious package.json/postinstall evidence, and replaced it with decoy content. The campaign followed hijacking of an Axios maintainer npm account and has been linked in reporting to North Korea-associated activity, including overlaps with WAVESHAPER; Microsoft attributed the Axios compromise to Sapphire Sleet and Google attributed it to UNC1069. Reported affected sectors included business services, finance, retail, technology, healthcare, higher education, insurance, media and entertainment, medical equipment, professional and legal services, and government-related environments across the U.S., Europe, the Middle East, South Asia, and Australia. High-confidence indicators mentioned in reporting include plain-crypto-js@4.2.1 (and 4.2.0 as a staged precursor), sfrclak[.]com, callnrwise[.]com, 142.11.206[.]73, /Library/Caches/com.apple.act.mond, %PROGRAMDATA%\wt.exe, /tmp/ld.py, and hashes including setup.js e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09, Linux ld.py fcb81618bb15edfdedfb638b4c08a2af9cac9ecfa551af135a8402bf980375cf, and PowerShell artifact 6202033.ps1 ed8560c1ac7ceb6983ba995124d5917dc1a00288912387a6389296637d5f815c.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
These versions introduced a phantom dependency -- plain-crypto-js@4.2.1 ... a package that had not existed before that day and is never actually imported by axios code. Its sole purpose was to execute a postinstall script that drops and runs a cross-platform RAT targeting macOS, Windows, and Linux.
Techniques & procedures
27 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesUnit 42 researchers have observed widespread impact from the significant supply chain attack targeting the Axios JavaScript library. The attack occurred after an Axios maintainer's npm account was hijacked, leading to the release of malicious updates (versions v1.14.1 and v0.30.4).
They tried to introduce a malicious dependency named "plain-crypto-js", an obfuscated dropper that deploys the WAVESHAPER.V2 backdoor across Windows, macOS, and Linux operating systems
Execution
11 techniquesmacOS: The dropper uses AppleScript... launches it silently via /bin/zsh. Windows: ... uses VBScript to fetch and execute a secondary PowerShell RAT script... Linux: The dropper uses the Node.js execSync command to download a Python RAT script...
Windows: The dropper searches for and copies the legitimate Windows PowerShell binary to %PROGRAMDATA%\wt.exe. It then uses VBScript to fetch and execute a secondary PowerShell RAT script, which is subsequently executed by wt.exe.
macOS: The dropper uses AppleScript to download a C++ compiled Mach-O binary, saves it to /Library/Caches/com.apple.act.mond, makes it executable and launches it silently via /bin/zsh.
Windows: ... It then uses VBScript to fetch and execute a secondary PowerShell RAT script...
Linux: The dropper uses the Node.js execSync command to download a Python RAT script to /tmp/ld.py, running it in the background using the nohup command.
plain-crypto-js, which included a postinstall script that ran a setup.js script via node. When developers or CI pipelines run npm install axios@1.14.1, NPM resolves the dependency tree, downloads plain-crypto-js@4.2.1, and runs the postinstall script. Running node setup.js triggers the compromise sequence.
Once installed, npm automatically ran post-install scripts tied to the dependency.
This triggers npm's postinstall lifecycle hook, executing a heavily obfuscated Node.js dropper script named setup.js in the background.
Persistence
1 techniquePrivilege Escalation
2 techniquesThe C2 server accepts the same four commands from the attacker: kill (self-terminate) runscript (execute shell/script commands) peinject (drop and execute binary payloads) rundir (enumerate directories)
Stealth
9 techniquesa malicious dependency named "plain-crypto-js", an obfuscated dropper that deploys the WAVESHAPER.V2 backdoor
To make this outbound traffic look like benign npm registry requests, it appends platform-specific paths: packages.npm[.]org/product0 for macOS ... All the RAT variants use a hard-coded... user-agent string spoofing Internet Explorer 8 on Windows XP
The C2 server accepts the same four commands from the attacker: kill (self-terminate) runscript (execute shell/script commands) peinject (drop and execute binary payloads) rundir (enumerate directories)
After launching the second-stage payload, the installer logic removes its own loader ( setup.js ) and removes the manifest ( package.json ) that contained the install trigger.
Upon successfully launching the payload, the Node.js dropper performs aggressive anti-forensic cleanup. It deletes the setup.js file, removes the postinstall hook and replaces the tampered package.json with a clean decoy file named package.md .
After launching the second-stage payload, the installer logic removes its own loader ( setup.js ) and removes the manifest ( package.json ) that contained the install trigger. It then renames package.md to package.json , leaving behind a clean-looking manifest
This triggers npm's postinstall lifecycle hook, executing a heavily obfuscated Node.js dropper script named setup.js in the background.
Discovery
2 techniquesThe malware was designed to perform reconnaissance... WAVESHAPER also... collects the returned system information, which is sent to the C2 server in an HTTP POST request.
The C2 server accepts the same four commands from the attacker: kill (self-terminate) runscript (execute shell/script commands) peinject (drop and execute binary payloads) rundir (enumerate directories)
Command and Control
4 techniquesDuring execution, the malware contacts command-and-control (C2) infrastructure at sfrclak[.]com to deliver platform-specific payloads, then deletes itself and replaces its package.json with a clean version to evade detection.
The full C2 URL is: http://sfrclak.com:8000/6202033
The dropper queries the operating system and sends an HTTP POST request to a command-and-control (C2) server at sfrclak[.]com:8000... The C2 server delivers a different payload depending on the victim's operating system.
The code was heavily obfuscated and built to stay unnoticed long enough to deploy a remote access trojan across Linux, macOS, and Windows systems.
Impact
1 techniqueThe malware was designed to perform reconnaissance and establish persistence, with an added feature to self-destruct for evasion.
IOCs tracked for this family
25 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
12 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A malicious npm package used in the Axios supply-chain compromise. It executes a postinstall script that drops a cross-platform remote access trojan for macOS, Windows, and Linux, performs reconnaissance, establishes persistence, communicates with a live C2 server, and includes self-deletion for evasion.
A cross-platform remote access trojan introduced via malicious Axios package updates. It was designed to perform system reconnaissance, establish persistence, and then self-destruct to evade forensic detection.
A malicious fake npm dependency inserted into compromised Axios releases that used a postinstall hook to fetch and deploy a cross-platform remote access trojan on Windows, macOS, and Linux.
Trojanized npm package used in a software supply-chain compromise. It executes via npm postinstall, performs OS detection, downloads and launches platform-specific payloads, steals credentials and secrets, exfiltrates data to attacker-controlled C2 infrastructure, and maintains persistent remote control across Windows, macOS, and Linux.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.